In the event of an IT security incident, hereinafter referred to as a malfunction, not only technical tasks must be performed. The non-technical tasks must also be handled. These include complying with and communicating reporting obligations.

Reporting obligations in the event of an IT security incident

In the event of an IT security incident not only technical tasks must be performed. Non-technical tasks must also be handled. These include, among other things, complying with and communicating reporting obligations. This article is intended to provide a deeper insight into the important topic of reporting obligations in the event of an IT security incident.

In addition to the DSGVO, which applies throughout Europe, there is also the IT-Sig .

The IT-Sig is an article law and changes existing laws, such as the BSIG, the TKG, the TMG or the AtomG.

Basically, there are three questions for the reporting obligation, which will be clarified below.

What must be reported?

When it comes to the question of what must be reported, a rough distinction can be made between two types of incidents. Ordinary and Major Incidents.

Ordinary incidents are incidents that are either caused by minor technical failures or are classified as so harmless, that companies and data are not affected. Technical failure can be, for example, a harmless hardware failure that does not affect any safety-critical components. Harmless attacks include general spam or phishing with no discernible targeted motivation, or malware detected by security tools that has been removed.

Significant incidents, on the other hand, are subject to mandatory reporting and can have a serious impact on companies and their IT systems. Significant incidents include malware that is previously unknown and cannot be traced for what purpose and what impact it may have on the infrastructure. Likewise, targeted phsihing attacks are considered to be a significant disruption. These can be tailored and part of a larger attack on the company. We look at the different types of phishing in our article (Digital Threats: Phishing). In addition, the exploitation of previously unknown security vulnerabilities known as zero days (see Exchange article) may be reportable.

When must an incident be reported?

If a significant incidents occurs, it must be reported immediately. All information available up to the time of the incidents must be submitted to the BSI, including:

– Information on the type of incidents and type of systems affected.

– Details of the cause or initial assumptions

– Contact persons

To ensure that nothing falls by the wayside during this usually hectic phase, the BSI provides a template for correct reporting. If it is not possible to answer all the questions about the fault at the time of the report, the report must be marked as an initial report. The rule here is speed before completeness. Subsequent reports can then be made and as soon as all the required information is available, a final report can be made. The final report is made after the incident has been completely remedied and concludes the reporting obligation of the affected party to the BSI.

Who must report an incident?

Companies in the seven CRITIS sectors:

– Energy,

– information technology,

– telecommunications,

– Water and Food,

– finance and insurance,

– transport and traffic

– health

Telecommunications companies must also submit a report to the Federal Network Agency.

SECUINFRA Falcon Team · Author

Digital Forensics & Incident Response Experten

Neben den Tätigkeiten, die im Rahmen von Kundenaufträgen zu verantworten sind, kümmert sich das Falcon Team um den Betrieb, die Weiterentwicklung und die Forschung zu diversen Projekten und Themen im DF/IR Bereich.

Das SECUINFRA Falcon Team ist auf die Bereiche Digital Forensics (DF) und Incident Response (IR) spezialisiert. Hierzu zählen die klassische Host-Based Forensik, aber auch Themen wie Malware Analysis oder Compromise Assessment gehören zu diesem Aufgabengebiet. Neben den Tätigkeiten, die im Rahmen von Kundenaufträgen zu verantworten sind, kümmert sich das Falcon Team um den Betrieb, die Weiterentwicklung und die Forschung zu diversen Projekten und Themen im DF/IR Bereich.  Dazu zählen beispielsweise Threat Intelligence oder die Erstellung von Erkennungsregeln auf Basis von Yara.

Digital Forensics & Incident Response experts

In addition to the activities that are the responsibility of customer orders, the Falcon team takes care of the operation, further development and research of various projects and topics in the DF/IR area.

The SECUINFRA Falcon Team is specialized in the areas of Digital Forensics (DF) and Incident Response (IR). This includes classic host-based forensics, but also topics such as malware analysis or compromise assessment. In addition to the activities for which we are responsible within the scope of customer orders, the Falcon team is also responsible for the operation, further development and research of various projects and topics in the DF/IR area. These include, for example, threat intelligence or the creation of detection rules based on Yara.
Beitrag teilen auf: